From 0b449fe8285e66f909f2f80093806faaf6f22f58 Mon Sep 17 00:00:00 2001
From: Stefan Sterz <s.sterz@proxmox.com>
Date: Fri, 12 Apr 2024 14:31:56 +0200
Subject: [PATCH] auth: request a write lock when exposing the
 `LockedTfaConfig`

this function is called every time a user tries to log in to check
whether a tfa challenge is required. since the tfa config may need to
be written by the auth api (e.g. when a recovery key is used) this
needs to use a write lock instead of a read lock in order to avoid
potential races.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
---
 src/auth.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/auth.rs b/src/auth.rs
index ba81e848c..f7251ac58 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -405,7 +405,7 @@ impl proxmox_auth_api::api::AuthContext for PbsAuthContext {
     /// Access the TFA config with an exclusive lock.
     fn tfa_config_write_lock(&self) -> Result<Box<dyn LockedTfaConfig>, Error> {
         Ok(Box::new(PbsLockedTfaConfig {
-            _lock: crate::config::tfa::read_lock()?,
+            _lock: crate::config::tfa::write_lock()?,
             config: crate::config::tfa::read()?,
         }))
     }